Monika Sachdeva

The use of artificial intelligence based techniques for intrusion detection: a review

The Internet connects hundreds of millions of computers across the world running on multiple hardware and software platforms providing communication and commercial services. However, this interconnectivity among computers also enables malicious users to misuse resources and mount Internet attacks. The continuously growing Internet attacks pose severe challenges to develop a flexible, adaptive security oriented methods. Intrusion detection system (IDS) is one of most important component being used to detect the Internet attacks. In literature, different techniques from various disciplines have been utilized to develop efficient IDS. Artificial intelligence (AI) based techniques plays prominent role in development of IDS and has many benefits over other techniques. However, there is no comprehensive review of AI based techniques to examine and understand the current status of these techniques to solve the intrusion detection problems. In this paper, various AI based techniques have been reviewed focusing on development of IDS. Related studies have been compared by their source of audit data, processing criteria, technique used, dataset, classifier design, feature reduction technique employed and other experimental environment setup. Benefits and limitations of AI based techniques have been discussed. The paper will help the better understanding of different directions in which research has been done in the field of IDS. The findings of this paper provide useful insights into literature and are beneficial for those who are interested in applications of AI based techniques to IDS and related fields. The review also provides the future directions of the research in this area.

A comprehensive approach to discriminate DDoS attacks from flash events

Most of the business applications on the Internet are dependent on web services for their transactions. Distributed denial of service (DDoS) attacks either degrade or completely disrupt web services by sending a flood of packets in the form of legitimate looking requests towards the victim web servers. Flash event (FE), which is an overload condition caused by a large number of legitimate requests, has similar characteristics as that of DDoS attacks. Therefore, detection of DDoS attacks with FE as background traffic is one of the hardest problems confronted by the network security researchers. Moreover, DDoS attacks and FEs require altogether different handling procedures. In this paper, traffic cluster entropy is derived from source address entropy and their combination is used not only to detect various types of DDoS attacks against web services but also to distinguish DDoS attacks from FEs. Optimal thresholds for traffic cluster entropy are calibrated through receiver operating characteristic curve (ROC). Proposed detection approach can operate in one of the defence modes: naive, normal or best, based on attack detection sensitivity requirements. Sensitivity of detection metric is tested using multiple simulation scenarios with different types of DDoS attacks along with variation in origins of attack and FE traffic. Detection of a variety of DDoS attacks like high rate skewed DDoS attacks, low rate isotropic attacks, subnet spoofed DDoS attacks and sophisticated DDoS attacks has been demonstrated. The effectiveness of the proposed approach in terms of false positive rate, detection rate and classification rate is validated through simulations carried out using NS-2 on a Linux platform.

Mobile Client's Access Mechanism for Location based Service using Cell-ID

location-sensitive service relies on users mobile device to determine its location and send the location to the application. A location-based service is a service that determines the location of a mobile device and uses this to provide functionalities and information specific to that location. With the growth of the importance and of the audience of location-based services, questions of security and privacy are brought forward. As services are being built on top of this technology, the number of parties increases significantly, and the possibility of a malicious insider (or a misbehaving insider) emerges. The extent to which the parties care to trust each other has reduced, and trust amongst the various parties can no longer be assumed by a location-based service. An attacker may try to steal a service (e.g., claiming to be a client to get free internet access), service providers may gain of private information. There should be a proper authentication mechanism between client and server to access the services. By considering some important factors like Cost, Energy Efficiency, we have proposed an Access Mechanism in which mobile Phone Users will send request for some services from server. Firstly Location Verification is done; server verifies the Users Mobile Phones location against authorized location. After User/Device Authentication is done, server checks User/Device Identification. If both conditions are true, server will grant access to the users for services and resources.

A traffic cluster entropy based approach to distinguish DDoS attacks from flash event using DETER testbed

The detection of distributed denial of service (DDoS) attacks is one of the hardest problems confronted by the network security researchers. Flash event (FE), which is caused by a large number of legitimate requests, has similar characteristics to those of DDoS attacks. Moreover DDoS attacks and FEs require altogether different handling procedures. So discriminating DDoS attacks from FEs is very important. But the research involving DDoS detection has not laid enough emphasis on including FEs scenarios in the experiments. In this paper, we are using traffic cluster entropy as detection metric not only to detect DDoS attacks but also to distinguish DDoS attacks from FEs. We have validated our approach on cyber-defense technology experimental research laboratory (DETER) testbed. Different emulation scenarios are created on DETER using mix of legitimate, flash, and different types of attacks at varying strengths. It is found that, when flash event is triggered, source address entropy increases but the corresponding traffic cluster entropy does not increase. However, when DDoS attack is launched, traffic cluster entropy also increases along with source address entropy. An analysis of live traces on DETER testbed clearly manifests supremacy of our approach.

Deployment of Distributed Defense against DDoS Attacks in ISP Domain

Distributed Denial of Service attacks pose a serious threat to the online applications like banking, trade, and e-commerce which are dependent on availability of Internet. Defending Internet from these attacks has become the need of the hour for sustainable development of any economy. Most of the research work in this area focuses on developing defense against these attacks without considering its practical deployment on the Internet. They evaluate the defense through simulation or experimenting in controlled environments. However a sincere thought is required to deploy these defense mechanisms in an incrementally acceptable way on the Internet. In this paper, the focus is on deployment aspect of defense system against DDoS attacks. The DDoS defense system in general is anatomized and need for distributed defense as compared to centralized defense has been highlighted. All possible defense locations on the Internet are critically analyzed for suitability of DDoS defense system deployment. A review of existing distributed defense schemes in terms of deployment is also carried out. Based on Internet structure, its working, and desired DDoS defense characteristics, ISP domain is chosen for deployment. However extending cooperation among ISPs and secure framework for communication among ISPs remain future concerns of our work. General Terms Network Security, Distributed Systems.

DDoS Attack Prevention and Mitigation Techniques - A Review

The present era is completely dependent on Internet. Internet serves as a global information source for all users, so the availability of internet is very important. In this paper the main focus is on the DDoS attack which hinders the network availability by flooding the victim with high volume of illegitimate traffic usurping its bandwidth, overburdening it to prevent legitimate traffic to get through. Various techniques to prevent and mitigate these attacks along with their advantages and disadvantages are also discussed.

An emulation based impact analysis of DDoS attacks on web services during flash events

The phenomenal growth of Internet has changed the way traditional essential services such as banking, transportation, medicine, education and defense are operated. In present era, the Internet is considered as main infrastructure of the global information society. Therefore, the availability of Internet is very critical. Distributed denial-of-service (DDoS) attacks pose an immense threat to the availability of these services. The services are severely degraded and hence lot of business loses are incurred due to these attacks. To objectively evaluate DDoS attacks impact, its severity and the effectiveness of a potential defense, a precise, quantitative and comprehensive DDoS impact metrics that are applicable to web services are required. In this paper, network topology is emulated and Flash Event (legitimate web traffic at high Rate) is generated. The attack traffic is generated at different strengths using different protocols to measure attack impact on web service. The impact is measured in terms of metrics such as Throughput, Response Time, Active Connections, Percentage of Failed transactions, Legitimate Packet Survival Ratio; Percentage of Packets Lost, Percentage of Request Packets Lost and Bottleneck Bandwidth

Characterizing DDoS attack distributions from emulation based experiments on DETER testbed

In the present era Internet has changed the way traditional essential services such as banking, transportation, power, health and defense being operated. These operations are being replaced by cheaper and more efficient Internet-based applications. It is all because of rapid growth and success of Internet in every sector. Now days, the World is highly dependent on the Internet. Hence, availability of the Internet is very critical for the socio-economic growth of the society. Distributed denial of service (DDoS) attack is a kind of attack which poses immense threat on the availability of Internet. DDoS attacks occur almost every day. Due to lack of a comprehensive solution to these attacks, frequency and the volume of these attacks are soaring day by day. Currently there is no general consent in the researcher community regarding distribution of attack traffic that is being used by attackers to launch attack. As a result of which researchers generally use attack distributions which they feel more relevant and comfortable for testing and validating their defense approaches. This leads to incomplete, ambiguous and imprecise outcomes. In this paper, we have characterized DDoS attack distributions from emulated attack datasets created using DETER testbed. Attack traffic distributions created by us can be directly used by researchers to validate their defense mechanisms against DDoS attacks and hence will foster formulation of comprehensive defense solutions.

Detection of Hello Flood Attack on LEACH in Wireless Sensor Networks

Wireless sensor networks are newer technology consisting of sensor nodes deployed in an unattended environment which collect environmental data by sensing and then forward it to the base station. The security of WSN in such an environment is very difficult. There are many routing protocols for WSN, but LEACH is the widely used energy proficient hierarchical routing protocol which saves nodes energy by forming clusters. In LEACH, cluster member forwards its data to the cluster head, which then aggregate and forward the entire data it received from member nodes to the base station. There are various types of attacks which threaten the services of LEACH are Sybil attack, black hole, selective forwarding, and Hello flooding attack. Hello flooding attack is a type of DoS attack which degrades the performance of LEACH by continuously sending large number of cluster head advertisement packets. Inside this text, firstly, we have discussed LEACH routing protocol and how it can be compromised by Hello flooding attackers. Once we threaten the services of LEACH by Hello flood attack, the impact of attacks on the performance metrics of LEACH is evaluated. In this paper, we have also proposed a detection strategy using coordinator nodes which detect the nodes causing Hello flood attack and then prevent it. The performance of algorithm is then tested using the NS-2 simulator.

D-FACE: An anomaly based distributed approach for early detection of DDoS attacks and flash events

Abstract In the present computer era, though the Internet-based applications are the driving force of social evolution, yet its architectural vulnerabilities proffer plethoric leisure to the attackers for conquering diversity of attacks on its services. Distributed Denial of Service (DDoS) is one of such prominent attack that constitutes a lethal threat to Internet domain that harnesses its computing and communication resources. Despite the presence of enormous defense solutions, ensuring the security and availability of data, resources, and services to end users remains an ongoing research challenge. In addition, the increase in network traffic rates of legitimate traffic and flow similarity of attack traffic with legitimate traffic has further made DDoS problem more crucial. The current research has deployed DDoS defense solutions primarily at the victim-end because of the inherent advantages of easy deployment and availability of complete attack information. However, the huge network traffic volume generated by DDoS attacks and lack of sufficient computational resources at the victim-end makes defense solution itself vulnerable to these attacks. This paper proposes an ISP level distributed, flexible, automated, and collaborative (D-FACE) defense system which not only distributes the computational and storage complexity to the nearest point of presence (PoPs) routers but also leads to an early detection of DDoS attacks and flash events (FEs). The results show that D-FACE defense system outperformed the existing Entropy-based systems on various defense system evaluation metrics.